security bulletin - ccfis · python is being used by attacks to code exploit and poc of most known...
TRANSCRIPT
Security Bulletin July 2014 | Volume - 4
1
index 01 executive summary
03 malware size
05 state of malware:
encrypted unencrypted
07 coding language
09 file extensions
11 malware types
13 region wise
15 most targeted networks
17 country wise analysis
19 attack timelines : hourly
20 attack timelines: dates
21 about us
executive summary We at CCFIS believe in research and innovation. We capture
malware, decode them and then reverse engineer it to dig
more information about it. Every malware we capture, we
deeply analyses it in our state-of-art malware analysis lab. The
best part of our malware analysis lab is that instead of relying on
commercial tools, we have developed our own sandboxing
environment that can simulate almost all operating systems and
network infrastructure. We have developed capabilities to
decode and break most of the malware that might be lurking
inside your network.
Our specializations are also in understanding and predicting
attack methodologies. In our attack analysis lab, we can
simulate different types of attacks being performed by attackers
to compromise the systems on various platforms. Once the
attack methodologies are identified, we release attack
countermeasures to safeguard from these attacks. We are also
capable of reverse engineering these malwares and exploits
used by attackers to compromise.
Last but not the least, in our forensics lab, we can gather
complete DNA analysis information of any malware or attack.
Our forensics lab have different capabilities to support our
research like data recovery, memory forensics, packet analysis
and many more.
With all these advanced capabilities and state-of-art labs, we
present you our research driven security bulletin which is result of
our analysis performed on different malwares, attacks and
exploits.
2
In this age when we carry GBs of storage space in our pockets
and don’t even care about files less than 10 KB or 1 MB. While
analyzing all the malwares we captured from different location
via our ATP sensor, we realized that most of the malwares were as
small as 10 KB. These programs were actually not malware but
were opening gates and downloading malwares from remote
location.
Unfortunately, most of antivirus will not detect it as a virus as it’s not
performing any suspicious activity in your computer, it’s just
downloading the file that will perform malicious activity on your
computer i.e. the malware.
malware size 3
Deep inside the code of these programs, we found download IP/
URL, username, password and path of malware. Also some of
programs were intelligent enough to detect your operating system
and download malware accordingly. For example if you are using
Windows 7 and avast antivirus then it will download the malware
which can work perfectly fine with combination of Windows 7 &
avast antivirus.
In our complete research we found that most of these malicious
programs and malwares are not larger than 1 MB. So next time if
you are ignoring this files, think twice before ignoring.
recommendations –
Delete unknown file. If you don’t understand it, or identify it,
delete it simply. Stay alert and don’t delete any system file.
Always monitor your task manager and start up processes and
locate the file and if it’s not signed by vendor known to you,
simply delete it.
Most of the time you won’t be able to delete these malware by
simply right click and delete. In that case boot your computer in
safe mode and try deleting. If malware is smart enough and not
allowing you to destroy itself, then install any Linux based live OS
in pen drive and then delete these files.
4
We in information security domain claim that we know all
encryption-decryption algorithms, but do we actually know all
algorithms? The answer with our research data as evidence is
‘NO’, we don’t know even half of encryption techniques that
exists.
At CCFIS malware analysis lab, we have state of art lab with best
malware analysts and almost all tools, equipment and infrastruc-
ture. We also developed several in house tools and technologies
to analyze malware captured by our ATP sensor. We develop
sandboxing technology where we can simulate almost any oper-
ating system, network infrastructure and working environment.
state of malware: encrypted unencrypted
5
After creating this state of art malware analysis lab and best
experts & researchers of country we are not even able to decrypt
half of these malware to user readable source code format.
Now a days hackers are not using pre-defined algorithms that are
publically available internet to encrypt their malware. And if the
decryption methodologies are not known to antivirus companies,
then how will they detect these malicious programs as malware
and release patch for their users.
For analyzing these types of malware we used behavioral analysis
and sandboxing technologies both on virtual as well as physical
machines and finally we were able to identify these as malwares
but still as these malwares were encrypted with methodologies
that are not available publically, we were not able to dig into the
code.
recommendations –
Keep an eye over your task manager and see if any unknown
process is running in background.
Additionally you can open Command prompt by typing cmd in
Run and then netstat to see list of all IPs your computer is
communicating to. Before doing this, close all browsers and
running applications and see if your system is communication to
any unknown IP. If it is communicating then block that particular
IP by editing C:\Windows\System32\Drivers\etc\networks in
notepad.
6
We at CCFIS malware analysis lab has developed advance
capabilities to open up malwares to user untestable coding
language. In our complete analysis to prepare advance threat
report for our customers, we came up with above chart of coding
language in which most of the malwares were coded.
In previous issue of our security bulletin, we explained Perl as
favorite language for hackers for creating malwares. In these issue
too we found that Perl is the favorite language of hackers for
coding malwares. Remember the phrase – ‘old is gold’? Hacker’s
also remember the same phase. As you can see from data
above, hackers are still using C & C++ to code most lethal
malwares.
coding language 7
Python is being used by attacks to code exploit and PoC of most
known CVEs. We received several MS Office 2010 based exploit
CVE-2014-1761 coded in Python in several ATP sensors that were
simulating Windows 7 and MS Office 2010. We also found that
most of the shells were coded in PHP to get root access of server
hosting the web application. We found several PHP shells in ATP
sensors simulated latest wordpress CMS uploaded by attackers in
latest version. So if you are a wordpress user, stay alert and keep
looking for new files. If you don’t understand it, just Google it or
simply delete it.
recommendations
If you don’t use Perl or Python on your Windows machine and
install it only out of passion and use very rarely then consider
uninstalling it, this will reduce threat of Perl or Python based
remote key-logger. In our research we found that systems without
these compilers were not compromised by these malwares but
the systems with Perl or Python compiler were compromised easily
by these remote key-logger malwares.
8
A filename extension is a suffix to the name of a computer file
applied to indicate the encoding of its contents or usage. Who
says that Windows based malware come in exe format, not
anymore. Above data proves that malware are being packed in
different formats to infect users more smarty.
When we are busy in planning business strategies, attackers are
busy planning new attack strategies to infect your systems. In first
phase, instead of sending you malware in any execution format
they are sending these malwares is .doc, .zip, .tar and other
formats and most of the times these files are password protected.
In second phase they simply send a small program that contains
password and execution instruction of that particular malware
hidden inside these .zip and .tar files. Now these small programs
which are actually not malware, opens up these compressed files
and execute malware.
file extensions
9
We simulated same techniques and we were able to bypass
almost all updated latest antiviruses. So while simulating if we are
able to bypass these antivirus then attacks must be bypassing your
all antivirus and security solution. Think about it, if your antivirus or
firewall are not detecting any attacks then it does not mean that
you are not being attacked, it might be possible that you are
being attacked but your antivirus or firewall are not detecting it.
Attackers are even using file renaming techniques. For example if
they want to send you a malware named document.exe then
instead of sending it in document.exe format they are renaming it
in document.doc.exe. Also they are changing the icon to make it
look like a document or an audible file.
recommendations:
To detect these type of files, just
go to folder options and
uncheck ‘Hide extensions for
known file types’. After doing so,
check for files with dual exten-
sions like document.doc.exe.
And delete it.
10
malware type 11
Backdoors are often installed by attackers who have
compromised a system to ease their subsequent return to the
system. Backdoors in your computer may be accessed by
attackers without your knowledge or consent. Backdoors are
considered to be real security threats.
While analyzing malware captured by ATP sensors installed across
the globe we found that most of the malware were backdoor. An
attacker tries to install a backdoor only when he has already
exploited some vulnerabilities to compromise your system. We also
found Trojans, which are generally non-self-replicating type of
malware program containing malicious code that, when
executed, carries out malicious actives like, key-logging, spam-
ming, theft of data, and possible system harm.
The most shocking was to see that 26.6% of malicious programs were
not detectable by most of antiviruses. We declared these files as
malicious file after performing behavioral & code analysis of these
malicious files.
Using antivirus and security solutions are best practices but simply relying &
trusting your antivirus is not advisable.
recommendations—
We recommend following best practices to safeguard yourself from these
identified & unidentified malwares –
Always monitor processes running in your task manager. If you find any
suspicious process, kill it immediately.
Check for msconfig startup options and see what programs are
automatically started when you boot up your system.
For browsing, we recommend Google Chrome with Ad-block extension.
Most of the systems are infecting by foolish activities of users while
browsing like clicking on lucrative and attractive ads. Google Chrome
will block sites hosting malicious codes and Ad-block extension will block
all annoying ads.
Perform a netstat in your command and see if your system is trying to
communicate with any unknown IP, if yes then block that IP manually
from C:\Windows\System32\Drivers\etc\networks.
12
region wise 13
Alfa – Corporate simulation
Delta – Financial institution simulation
Beta – Government simulation
Our ATP sensor can simulate any network infrastructure ranging
from complete production environment of banks to corporates.
After this analysis, we realized that hackers are targeting mostly on
corporate. Targeting money directly is old fashioned, but
targeting data worth money is easier and safer trend opted by
hackers now a days. After stealing data from corporates, hackers
are selling company sensitive files over underground communities
(deep web).
But still financial institutions are money and this is what that attracts most of
attackers. So we created a dummy money bank with our ATP sensor and
left it vulnerable to exploits. The result was as expected. Hackers used so
complex techniques and 0-day exploits to compromise the network to get
the money.
So if you are from corporate or financial institutions, no matter what security
solutions you implement, hackers will always try to target you.
recommendations
In this case, we would recommend you to install ATP sensor in your location
so that you can deflect attacks form your original network to a fake decoy
monitored server. By deflecting most of the attacks you saved your
networks from 70% targeted and automated attacks.
Also later on you can scan your network with these attacks, malware and
exploit to see if your original network are vulnerable or not.
ATP sensors deployed in metro cities were compromised and attacked
more than ATP sensors deployed in other cities. This simplifies that if you or
your organization is in metro city then it increases probability of being
attack.
14
most targeted networks 15
We developed our ATP sensor to replicate several organizations
like research & development, financial, educational, government
and critical infrastructure.
It is obvious that research and development organization are
continuous under attack by intelligence agencies to understand
capabilities and to gather information about what others are
doing. Same are being attacked by hackers to steal new
technologies, patents and later on make money out of it.
Critical infrastructure (CI) are assets that are essential for the
functioning of a society and economy. Most common sector of CI
are chemical sectors, commercial facility sectors,
communications, critical manufacturing, dams, defense industries,
emergency services, energy & power grids, financial, government
facilities, healthcare, information technology, nuclear plants,
transportation, water, etc. Hackers are trying to hack these
sectors.
Hacking into these sector can result to creation of weapon of mass
destruction.
If your organization belong from any of above sectors, we would
recommend you to follow the best practices made by National Critical
Information Infrastructure Protection Centre (NCIIPC).
Financial institutions were soft targets for attacks and will be soft targets for
attacks. Also now a days attack are trying even to penetrate into
educational organizations. There might be many reason behind these but
several reason that we predicted are that most of the universities in India
are research driven and research conducted by students at their university
level are business for others and for themselves after several PoCs. So,
hackers are also interested in these research data that they can steal and
can be purchased by some investor. Another prediction is that, now a days
every another teenager is either bug bounty hunter or a hacker. So it might
also be possible that these students might be trying to hack into their
university network to get question papers or hack into university ERP to
manipulate their marks & attendance.
One of our major client Amity University captures 500+ targeted malware
and 20,00,000 + targeted attacks after deploying ATP sensor. A hacker’s
intensions cannot always be judged by his attack methodologies and
hence if you are an educational organization and thinking that who will
attack you then example of Amity University proved you wrong.
Also to conclude, if educational organization like Amity University which is
not doing any business or any production environment are being attacked
to brutally then what about other organizations who are actually doing
some business and working on financial sectors.
16
country wise analysis 17
IPs of countries detected in attacking India’s network
infrastructure. There are no of possibilities –
The country attacking India’s infrastructure might be actually
performing attacks and hence responsible to sending
malwares.
IPs of these countries were used as proxies to perform attacks.
It might also be possible that computers of these countries
might be compromised and hackers might be pivoting attacks
to India from systems of these countries.
18 Country Percent of Attack
USA 19
China 12.6
Virgin island 8.6
Germany 8.3
Romania 7.1
UK 6.7
India 3.6
China 3.2
Russian Federation 2.6
Netherlands 2.5
Italy 2.4
Japan 2.3
Korea 2.3
Australia 2.1
Hong Kong 2
Switzerland 1.6
Malaysia 1.5
Iran 1.4
Georgia 1.3
Brazil 1.3
Turkey 1
Mauritius 1
France 2.3
Hungary 1
Slovenia 1.2
Canada 1.1
attack timelines: hourly 19
With data collected by all locations of our ATP sensors, we
created a central data of 6 months to predict at what time most
attacks are happening and attacks are most active.
Most common attacks are happening between 7 PM to 10 PM.
This is the most prime time for all Indians to check their social
network, online shopping and other personal works that they
cannot perform during official hours of 9 to 6. Most of the
attackers are also active during this time only. Peoples are using
their personal computer and laptops which are less secure than
their office computers and hence it’s easy for attacker to break
into their system.
Attackers are less active during day. Our ATP captured that India’s
infrastructure are facing between attacks after 4 AM to 6 PM. And
this is the time when we are sleeping, exercising, walking or
working in offices.
Targeted attacks are not only those in which an attack sends a
mail with malware specially crafted to compromise user system
only, but these are actual targeted attacks in which attacker
know your personal time table and know at what time you will be
online over less secure systems and performing personal &
financial transactions.
attack timelines: dates 20
We monitored logs of 6 months of all locations where we have
installed our ATP sensors. We concluded to a result that attackers
were most active on 20th and 28th of every month.
We also summarized that attacks are more active during end and
starting of month. In India most of online shopping users make
online transactions during this dates only. As most Indians receive
their salary during this period only and spend specially in these
period.
Hackers are less active during mid of the month. So it might be
possible that attackers might be sniffing or capturing payment
details.
One cannot predict attacker only by his attach methodologies, a
behavioral analysts is always required in an organization to predict
mindset of an attacker.
about us We at Amity Innovation Incubator have established a research lab “Center for Cyber
Forensics and Information Security”. CCFIS (www.ccfis.net) is founded on the core belief
that cyber security is a growing concern worldwide, hence it is necessary to secure and
protect our country and national technology infrastructure to safeguard future of our
country and hence citizens.
CCFIS is a research organization and part of Amity Education Group, which is India
leading Education Group having 1,00,000 Students, 5 Universities and many India and
Global Campuses. We intend to create Research collaboration forum so that Internet
community can fight together against Cyber Crimes.
Noida Office: Amity Innovation Incubator, Block E-3,1st Floor, Amity University, Sector-125 Noida,
UP-201301, India, Email Id: [email protected], Phone no: +91-120-4659156
Lucknow Office: 3rd Floor, AB - 6 Block, Amity University, Malhaur, Lucknow, UP - 226028, India
Gwalior Office: Amity University Madhya Pradesh, Maharajpura (Opposite Airport), Gwalior
Jaipur Office: Amity University Rajasthan, 14, Gopalwadi, Ajmer Road, Jaipur, Rajasthan
Manesar Office: Amity University Haryana, Panchgaon, Manesar, Gurgaon, Haryana
Disclaimer—This report was prepared as an account of work done by CCFIS research and analysis wing. Neither the CCFIS, nor any of their employees,
nor any of their contractors, subcontractors or their employees, partners or their employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or any third party's use of this report or the results of such use of any information, appa-
ratus, product, or process disclosed, or represents that its use would not infringe privately owned rights.
© Center for Cyber Forensics & Information Security
21